SentinelOne

Cybersecurity · Endpoint protection · XDR · AI-driven security Mountain View (HQ) · Tel Aviv (R&D), Boston, Prague, Tokyo~2,500 globally · several hundred in Israel R&D

SentinelOne's Tel Aviv R&D is the engine behind the AI-native shift the company has been making since the August 2025 Prompt Security acquisition ($250M, Israeli LLM-runtime startup). Junior intake here splits between ML / threat-research roles (heavy in malware analysis + Linux/macOS internals) and platform engineering on the AI-driven SIEM that will absorb the September 2025 Observo AI acquisition. Greenhouse ATS, English-first.

SentinelOne — open positions Score my CV against SentinelOne

ATS

Greenhouse

Hebrew

helpful

Citizenship

not required

Last verified

2026-05-02

Programs

ML Research Intern (Tel Aviv)

Project-based ML research role inside SentinelLabs / the broader Tel Aviv R&D. Active areas in 2026 include LLM-runtime security (post-Prompt acquisition), telemetry-pipeline ML (post-Observo AI announcement), and threat-detection model training on SentinelOne's endpoint dataset. Interns ship code into product, not just papers.

Eligibility: MSc / PhD students in CS / EE / data-science with hands-on ML model training. Threat-detection or anomaly-detection coursework or thesis work is a meaningful tiebreaker. Interns who can articulate a research direction tied to one of SentinelOne's product areas convert at higher rates than generalists.
Schedule: 3–6 months · part-time during semester / full-time on summer · Tel Aviv office.

Apply on SentinelOne careers

Cyber Threat Research Intern (Tel Aviv)

Reverse-engineering and malware-analysis projects inside SentinelLabs. Heavier than the ML track on Linux internals, macOS internals, and binary analysis tooling (IDA, Ghidra, Frida). Most interns come from CS programs with a security minor, military signal-corps backgrounds, or active CTF participation.

Eligibility: BSc / MSc / PhD students with hands-on RE / malware-analysis. Even a single CTF write-up published online counts as evidence. Linux + macOS internals familiarity (read kernel docs, debugged a kernel module, etc.) is a strong screen.
Schedule: 3–6 months · part-time during semester · Tel Aviv office.

Apply on SentinelOne careers

Who they hire

SentinelOne's Tel Aviv R&D is one of the more academically-oriented Israeli cyber operations. The ML-research track pulls heavily from MSc / PhD students at the Technion, Tel Aviv University, and the Hebrew University; the threat-research track pulls from CS-with-security students plus a meaningful share of 8200 / 9900 / Mamram alumni. SentinelLabs has a published research output (the Greenhouse board lives at boards.greenhouse.io/embed/job_board?for=sentinellabs — distinct from the corporate board, which signals how seriously the lab is treated internally). English is the working language for cross-region collaboration with Mountain View; Hebrew helps with team rituals but isn't a screening filter.

The process

Pipeline runs through Greenhouse — the SentinelLabs board is dedicated, separate from the corporate Greenhouse instance. After CV screen — typically 7–14 days at SentinelLabs' volume — successful candidates hit a domain-specific technical screen. ML candidates: 60-minute conversation about your most recent project + a take-home with a small dataset; the bar is methodology, not Kaggle ranking. Threat-research candidates: 60-minute walkthrough of one CTF you've solved or a malware sample you've reversed, plus follow-ups on Linux/macOS internals. Tech panel: 90 minutes with two senior researchers (live coding + research-direction discussion). Final round is research-group fit. Total time from CV to offer is 4–7 weeks. Code review during the take-home is famously strict — preference for candidates who write tests and document assumptions.

SentinelOne CV — what to include

For ML roles, lead with one project where you trained a model end-to-end on a real dataset — not a Kaggle scoreboard run. SentinelLabs reviewers grade methodology more than headline metric.
For threat-research roles, link to one CTF write-up or one reversed sample on your blog / GitHub. The team explicitly hires from this signal.
List specific tooling (IDA Pro, Ghidra, Frida, Volatility, YARA) with a project that used it. Tooling-named CVs are read as concrete.
Linux kernel + macOS XNU familiarity is rare and rewarded. Even "I read the OS internals book and debugged a kmod" lands.
Mention any Anthropic / OpenAI / Gemini API integration you've built post-2024, especially anything touching prompt-injection defense or runtime monitoring — directly relevant after the Prompt Security acquisition.
If you're 8200 / 9900 / Mamram, name the unit. SentinelLabs has internal continuity with these pipelines and the unit name is a real signal.

Common mistakes that get you filtered

ML CV that's all Kaggle-scoreboard wins without a real-data end-to-end project. SentinelLabs grades methodology depth, not benchmark heat.
Threat-research CV without a single linked write-up or reversed sample. Saying you "like reverse engineering" without artifacts is a non-starter.
Generic AI/ML framing without a specific direction (anomaly detection, malware classification, LLM-runtime safety). The lab evaluates one direction over many.
Over-relying on Coursera certificates as primary credentials. They count as supplements, not headline material.
Not addressing the SentinelOne / Mountain View collaboration angle at the offer-stage culture round. The Tel Aviv R&D coordinates daily with HQ; "I prefer remote" framing reads as off-fit.

Insights that aren't on the company's careers page

SentinelOne acquired Prompt Security in August 2025 for ~$250M — an Israeli startup focused on securing LLMs in runtime and preventing data leakage from generative-AI tools. This shifted SentinelLabs' Tel Aviv hiring toward LLM-runtime security in a way the careers page doesn't yet name explicitly.
The September 2025 announcement to acquire Observo AI (real-time data-pipeline platform for telemetry) is folding into SentinelOne's SIEM stack. ML and platform-engineering juniors hired in 2026 are likely to land on the integration team — useful context for the panel conversation.
SentinelLabs has a separate Greenhouse board (boards.greenhouse.io/embed/job_board?for=sentinellabs) distinct from the corporate Greenhouse instance. Different ATS routing means CV-tuning behavior is technically the same Greenhouse, but pipeline ownership is different.
Mountain View HQ runs the corporate side, but Tel Aviv carries the heavier R&D weight — the company's threat-research output (SentinelLabs blog, conference papers) comes overwhelmingly from the Israeli office. Public output is a real recruiting signal SentinelLabs leans on.
The Israeli cyber-threat-research pipeline at SentinelOne has internal continuity with 8200 / 9900 / Mamram alumni. While not officially advertised, the lab's hiring patterns reflect the depth of Israeli signal-corps + cyber-unit pipelines.
Strict code review during take-home assignments is repeatedly mentioned in Glassdoor interview reviews. Candidates who lead with tested, documented code — even if simpler — outperform candidates who optimize for cleverness.

Does your CV match SentinelOne?

Korotchaim scores your CV against an actual SentinelOne job description. Free preview — no signup.

Try the demo

Sources

https://www.sentinelone.com/careers/ · official · 2026-05-02
https://boards.greenhouse.io/embed/job_board?for=sentinellabs · official · 2026-05-02
https://en.wikipedia.org/wiki/SentinelOne · third-party · 2026-05-02
https://www.calcalistech.com/ctechnews/article/im5ma59bu · news · 2026-05-02
https://www.sentinelone.com/press/sentinelone-to-acquire-observo-ai-to-revolutionize-siem-and-security-operations/ · official · 2026-05-02